http://94.142.138.131/api/firegate.php - rule_id: 32650
http://45.9.74.6/2.exe - rule_id: 34108
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://zzz.fhauiehgha.com/m/okka25.exe - rule_id: 34705
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://aa.imgjeoogbb.com/check/?sid=210562&key=5227fd466f380e354858165319182c99 - rule_id: 34651
http://83.97.73.134/gallery/photo085.exe - rule_id: 34603
http://apps.identrust.com/roots/dstrootcax3.p7c
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://77.91.68.30/fuzz/enter.exe
http://www.maxmind.com/geoip/v2.1/city/me
http://208.67.104.60/api/tracemap.php - rule_id: 28876
http://77.91.68.63/doma/net/index.php - rule_id: 34361
http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482
http://194.169.175.132:3002/ - rule_id: 34588
http://aa.imgjeoogbb.com/check/safe - rule_id: 34652
https://traffic-to.site/294/setup294.exe - rule_id: 34662
https://db-ip.com/demo/home.php?s=175.208.134.152
https://sun6-22.userapi.com/c909618/u808950829/docs/d60/ae911c61a5dd/3.bmp?extra=F2b9KK27JpNtvBMC1Y4yaeVn55GajWT6ciGj7uK36P0TiSSHZYJttEnVZ7xiAehKEXj_62ejLS8U620U5C6HvQBD2g1TRCh8y4HgaC8ufeTVNhlHShxa-wiNuI7TnC-rQhAKOOT_JiQCWPewSw
https://db-ip.com/
https://sun6-23.userapi.com/c909518/u808950829/docs/d20/61b6f7cfa51a/WWW1.bmp?extra=ljjMJ3TZ6hB8z3zwpU99CbXdGMsJI37sAXQrCBdep_p8xUGOtNMgqpIxMsmiJLj5QoskckZTqv7df5SHMp18fg6UihbFQ_501LVeEZnkMxFXFdlVvN33LhTs5MPpa_6q5C2eczyDM2RpNwcblg
https://vk.com/doc808950829_663517352?hash=r3SKbalnpLNEHhXDkdRZoDypstvcuZiLfoTMrICifxw&dl=ZGd5edeCxcDIPFuau0XPrh3wmYQ6Se1iGNYMxGiLZ7s&api=1&no_preview=1#3
https://sun6-20.userapi.com/c909228/u808950829/docs/d39/fe32b742760a/PMmp.bmp?extra=VZzlNMvHOBAlFaKT3PjM7fzi2fO1PPHeyMDNPJJo2rbXe1_0xuj-7wPnu8H3ebUInclJGriwMal7va3N5ZM4ubwgDbdcETztEzEEiU7RebYw6sd84k5eBF3RcG0YctzIckqf5x0ELarzyLZzpA
https://sun6-22.userapi.com/c909618/u808950829/docs/d28/48cb46c7a63f/ccloudcosmic.bmp?extra=VkJXQrROemTjw_2DoflDwZ9uMItbxt08ym2ypZRJ-FEjXT6xVFsep1emHxpmTxD4d8Kf4aFroEJxtjEtCqrZ60heNUjAFOlBWzL0XkFfhKvGr_dq1jEIvny9lih3e5-zcBxHiNCuXY0Vxut44Q
https://vk.com/doc808950829_663496587?hash=9HBIzrbBWHKqUnGhHt30dMcZIm1RpmRRZBzZ89JCfGw&dl=JRIT3v6zzNFrou8UYI02dSfdibpUzCLo9YvFXREFvCT&api=1&no_preview=1
https://sun6-20.userapi.com/c909228/u808950829/docs/d4/71e0c58f306b/RisePro_0_1_vgWJ8smB7NzPfuCfGTFK.bmp?extra=3Cg4yg-UpwzvuMvyrsIV03aSiTNLuwpyXiQT_Udm1BGJA0p9ZRy5fvES7sfolN431f_g90Lc-IHZBjwztx12khk9WtEWW_Lo3NhiK_80hG9HT27oqTryvNR9wdf2Ift-OtK49pdROiLxh9bogw
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

callusoyasociados.com.ar(131.255.7.10) - malware
www.maxmind.com(104.17.214.67)
db-ip.com(104.26.5.15)
api.myip.com(172.67.75.163)
hugersi.com(91.215.85.147) - malware
sun6-22.userapi.com(95.142.206.2)
zzz.fhauiehgha.com(156.236.72.121) - mailcious
traffic-to.site(104.21.29.16) - malware
ipinfo.io(34.117.59.81)
aa.imgjeoogbb.com(154.221.26.108) - mailcious
us.imgjeoigaa.com(103.100.211.218) - mailcious
sun6-23.userapi.com(95.142.206.3)
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(87.240.132.78) - mailcious
api.db-ip.com(104.26.4.15)
194.169.175.128 - mailcious
146.59.161.7
95.142.206.2
104.17.215.67
91.215.85.147 - malware
94.142.138.113 - mailcious
208.67.104.60 - mailcious
176.123.9.85 - mailcious
172.67.75.166
77.91.68.30 - malware
154.221.26.108 - mailcious
157.254.164.98 - mailcious
34.117.59.81
87.240.137.164 - mailcious
104.26.8.59
194.169.175.132 - mailcious
77.91.68.63 - malware
45.12.253.74 - malware
94.142.138.131 - mailcious
185.81.68.115 - mailcious
83.97.73.131 - malware
83.97.73.134 - malware
156.236.72.121 - mailcious
45.15.156.229 - mailcious
104.26.4.15
83.97.73.129 - mailcious
95.142.206.3
163.123.143.4 - mailcious
95.142.206.0 - mailcious
121.254.136.27
45.9.74.6 - malware
176.113.115.239 - malware
172.67.171.62
103.100.211.218 - malware
131.255.7.10 - mailcious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Download from dotted-quad Host
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO EXE - Served Attached HTTP
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

http://94.142.138.131/api/firegate.php
http://45.9.74.6/2.exe
http://hugersi.com/dl/6523.exe
http://zzz.fhauiehgha.com/m/okka25.exe
http://45.15.156.229/api/tracemap.php
http://aa.imgjeoogbb.com/check/
http://83.97.73.134/gallery/photo085.exe
http://94.142.138.131/api/tracemap.php
http://208.67.104.60/api/tracemap.php
http://77.91.68.63/doma/net/index.php
http://us.imgjeoigaa.com/sts/imagc.jpg
http://194.169.175.132:3002/
http://aa.imgjeoogbb.com/check/safe
https://traffic-to.site/294/setup294.exe

89.208.103.225

https://api.ipify.org/

valerehandstand.com(66.29.132.105)
api.ipify.org(104.237.62.211)
66.29.132.105
64.185.227.155

SURICATA Applayer Detect protocol only one direction
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

cdn.discordapp.com(162.159.135.233) - malware
162.159.133.233 - malware

ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://www.ohrana-truda-truda-rf.online/ge83/?pPX=2nm9SBzFpAsGMwKaX6GJHPtsi8QD7hmQKbLOqqduPt9dPD3Sph+kutYOcJDygkW/3BYE0dDT&1bj=jlNDpj_pi

www.ohrana-truda-truda-rf.online(172.67.144.112)
www.thepresaleplug.com()
172.67.144.112 - mailcious

ET MALWARE FormBook CnC Checkin (GET)

https://api.ipify.org/

api.ipify.org(173.231.16.76)
173.231.16.76

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

135.181.205.149

https://api.ipify.org/

api.ipify.org(64.185.227.155)
104.237.62.211

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

135.181.205.149

ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response

168.119.239.218 - mailcious

ET MALWARE RedLine Stealer TCP CnC net.tcp Init

https://yandex.ru/showcaptcha?cc=1&mt=5D1DFE957BC55C0C13A0F3496A5246409470CAE10665908D60E4A11127CE0D362A7C960D448E46C99B7ABEBB4D8E3860EE257CBD8B65FF3183BBFE46F37D6B73A9571A37E1FAD1D6DCAE864C73D4B795A3EA5DD1D1DC3CCC8B21&retpath=aHR0cHM6Ly95YW5kZXgucnUvPw%2C%2C_0b3d93996162204192850f35a89c2b92&t=2/1687939219/d0911666741300a32b2774f8ed789ccd&u=e231e10d-f7415e09-81557e5c-3735fe90&s=63ae957878b231fa7f96e2acf1716d16
https://yandex.ru/

yandex.ru(5.255.255.70)
5.255.255.70

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

api.ipify.org(173.231.16.76)
64.185.227.155